CWE-203
AllowedObservable Discrepancy
Abstraction: Base · Status: Incomplete
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.
836 vulnerabilities reference this CWE, most recent first.
GHSA-PM6H-2VPW-RHHG
Vulnerability from github – Published: 2022-08-12 00:01 – Updated: 2022-08-14 00:00In PackageManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-224547584
{
"affected": [],
"aliases": [
"CVE-2022-20252"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-11T15:15:00Z",
"severity": "LOW"
},
"details": "In PackageManager, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-224547584",
"id": "GHSA-pm6h-2vpw-rhhg",
"modified": "2022-08-14T00:00:21Z",
"published": "2022-08-12T00:01:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20252"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PMH6-RRRW-XVHH
Vulnerability from github – Published: 2025-05-26 15:30 – Updated: 2025-05-26 15:30A minor information leak when running Screen with setuid-root privileges allosw unprivileged users to deduce information about a path that would otherwise not be available.
Affected are older Screen versions, as well as version 5.0.0.
{
"affected": [],
"aliases": [
"CVE-2025-46804"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-26T14:15:19Z",
"severity": "LOW"
},
"details": "A minor information leak when running Screen with setuid-root privileges allosw unprivileged users to deduce information about a path that would otherwise not be available.\n\n\nAffected are older Screen versions, as well as version 5.0.0.",
"id": "GHSA-pmh6-rrrw-xvhh",
"modified": "2025-05-26T15:30:34Z",
"published": "2025-05-26T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46804"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-46804"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2025/05/12/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PP5M-FRF4-QC3R
Vulnerability from github – Published: 2025-02-27 21:32 – Updated: 2025-03-01 00:31Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to utilize insecure versions of the functions strcmp and memcmp, allowing attackers to possibly obtain sensitive information via timing attacks.
{
"affected": [],
"aliases": [
"CVE-2024-41335"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-27T21:15:36Z",
"severity": "HIGH"
},
"details": "Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior to v3.9.9.4, Vigor 2133/2762/2832 prior to v3.9.8, Vigor 2135/2765/2766 prior to v4.4.5.1, Vigor 2865/2866/2927 prior to v4.4.5.3, Vigor 2962/3910 prior to v4.3.2.7, Vigor 3912 prior to v4.3.5.2, and Vigor 2925 up to v3.9.6 were discovered to utilize insecure versions of the functions strcmp and memcmp, allowing attackers to possibly obtain sensitive information via timing attacks.",
"id": "GHSA-pp5m-frf4-qc3r",
"modified": "2025-03-01T00:31:54Z",
"published": "2025-02-27T21:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41335"
},
{
"type": "WEB",
"url": "https://medium.com/faraday/advisory-multiple-vulnerabilities-affecting-draytek-routers-78a6cb8b3946"
},
{
"type": "WEB",
"url": "http://draytek.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PVM5-9FRX-264R
Vulnerability from github – Published: 2026-01-15 18:17 – Updated: 2026-01-21 16:55Summary
A user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs.
Impact
The login UIs (in version 1 and 2) provide the possibility to request a password reset, where an email will be sent to the user with a link to a verification endpoint. By submitting arbitrary userIDs to these endpoints, an attacker can differentiate between valid and invalid accounts based on the system's response.
For an effective exploit the attacker needs to iterate through the potential set of userIDs. The impact can be limited by implementing rate limiting or similar measures to limit enumeration of userIDs.
Additionally, Zitadel includes a security feature "Ignoring unknown usernames", designed to prevent username enumeration attacks by presenting a generic response for both valid and invalid usernames on the login page. The login UI V2 did not handle the setting correctly and would allow attackers to enumerate through usernames to check their existence.
Affected Versions
All versions within the following ranges, including release candidates (RCs), are affected:
- v4.x: 4.0.0 through 4.9.0
- 3.x: 3.0.0 through 3.4.5
- 2.x: 2.0.0 through 2.71.19
Patches
The vulnerability has been addressed in the latest releases. The patch resolves the issue by returning a generic error message, which does not indicate it the user exists.
4.x: Upgrade to >=4.9.1 3.x: Update to >=3.4.6 2.x: Update to >=3.4.6
Workarounds
The recommended solution is to update ZITADEL to a patched version. You can limit the impact by implementing rate limiting or similar measures to limit enumeration of userIDs.
There is no workaround for the "Ignoring unknown usernames" issue in login V2. Please upgrade to a patched version, if you rely on this feature.
Questions
If you have any questions or comments about this advisory, please email us at security@zitadel.com
Credits
Thanks to Niklas Kunz from Seamly for reporting this vulnerability from their pentest.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.9.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.9.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.4.5"
},
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23511"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-15T18:17:06Z",
"nvd_published_at": "2026-01-15T20:16:05Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nA user enumeration vulnerability has been discovered in Zitadel\u0027s login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs.\n\n### Impact\n\nThe login UIs (in version 1 and 2) provide the possibility to request a password reset, where an email will be sent to the user with a link to a verification endpoint.\nBy submitting arbitrary userIDs to these endpoints, an attacker can differentiate between valid and invalid accounts based on the system\u0027s response.\n\nFor an effective exploit the attacker needs to iterate through the potential set of userIDs. The impact can be limited by implementing [rate limiting](https://zitadel.com/docs/self-hosting/manage/production#limits-and-quotas) or similar measures to limit enumeration of userIDs.\n\nAdditionally, Zitadel includes a security feature \"Ignoring unknown usernames\", designed to prevent username enumeration attacks by presenting a generic response for both valid and invalid usernames on the login page. The login UI V2 did not handle the setting correctly and would allow attackers to enumerate through usernames to check their existence.\n\n### Affected Versions\n\nAll versions within the following ranges, including release candidates (RCs), are affected:\n- **v4.x**: `4.0.0` through `4.9.0`\n- **3.x**: `3.0.0` through `3.4.5`\n- **2.x**: `2.0.0` through `2.71.19`\n\n### Patches\n\nThe vulnerability has been addressed in the latest releases. The patch resolves the issue by returning a generic error message, which does not indicate it the user exists.\n\n4.x: Upgrade to \u003e=[4.9.1](https://github.com/zitadel/zitadel/releases/tag/v4.9.1)\n3.x: Update to \u003e=[3.4.6](https://github.com/zitadel/zitadel/releases/tag/v3.4.6)\n2.x: Update to \u003e=[3.4.6](https://github.com/zitadel/zitadel/releases/tag/v3.4.6)\n\n### Workarounds\n\nThe recommended solution is to update ZITADEL to a patched version. You can limit the impact by implementing [rate limiting](https://zitadel.com/docs/self-hosting/manage/production#limits-and-quotas) or similar measures to limit enumeration of userIDs.\n\nThere is no workaround for the \"Ignoring unknown usernames\" issue in login V2. Please upgrade to a patched version, if you rely on this feature.\n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\n\nThanks to Niklas Kunz from Seamly for reporting this vulnerability from their pentest.",
"id": "GHSA-pvm5-9frx-264r",
"modified": "2026-01-21T16:55:10Z",
"published": "2026-01-15T18:17:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23511"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/commit/0bb00dd9fc4e5e965f8e14fa2161a5076f3c308d"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/commit/b85ab69e4679b0268e2b0e9b4cd04e934af10dd2"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/commit/c300d4cc6a2775ab17ddfe76492f24170f8b858d"
},
{
"type": "PACKAGE",
"url": "https://github.com/zitadel/zitadel"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.6"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/releases/tag/v4.9.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Zitadel has a user enumeration vulnerability in Login UIs"
}
GHSA-Q2V2-PGM4-M8C8
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.
{
"affected": [],
"aliases": [
"CVE-2018-0495"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-13T23:29:00Z",
"severity": "MODERATE"
},
"details": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
"id": "GHSA-q2v2-pgm4-m8c8",
"modified": "2022-05-13T01:18:24Z",
"published": "2022-05-13T01:18:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0495"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"type": "WEB",
"url": "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4231"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3850-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3850-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3692-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3692-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3689-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3689-1"
},
{
"type": "WEB",
"url": "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html"
},
{
"type": "WEB",
"url": "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965"
},
{
"type": "WEB",
"url": "https://dev.gnupg.org/T4011"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2237"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1543"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1297"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1296"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3505"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3221"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041144"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041147"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q392-PCC3-WQ35
Vulnerability from github – Published: 2022-08-10 00:00 – Updated: 2022-08-10 00:00Windows Defender Credential Guard Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-34710, CVE-2022-34712.
{
"affected": [],
"aliases": [
"CVE-2022-34704"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-203",
"CWE-319"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-09T20:15:00Z",
"severity": "MODERATE"
},
"details": "Windows Defender Credential Guard Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-34710, CVE-2022-34712.",
"id": "GHSA-q392-pcc3-wq35",
"modified": "2022-08-10T00:00:18Z",
"published": "2022-08-10T00:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34704"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34704"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34704"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/168329/Windows-Credential-Guard-Non-Constant-Time-Comparison-Information-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q5CF-73CV-R7F2
Vulnerability from github – Published: 2026-07-15 12:32 – Updated: 2026-07-15 12:32Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST SECURITY DEFINER RPC function public.rescind_invitation that allows unauthenticated attackers to enumerate organization existence. The function returns distinct error messages (NO_ORG vs NO_RIGHTS) when called with only a publishable API key, enabling attackers to discover valid organization IDs and increase the attack surface for targeted phishing or social engineering campaigns.
{
"affected": [],
"aliases": [
"CVE-2026-56339"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-15T12:18:02Z",
"severity": "HIGH"
},
"details": "Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST SECURITY DEFINER RPC function public.rescind_invitation that allows unauthenticated attackers to enumerate organization existence. The function returns distinct error messages (NO_ORG vs NO_RIGHTS) when called with only a publishable API key, enabling attackers to discover valid organization IDs and increase the attack surface for targeted phishing or social engineering campaigns.",
"id": "GHSA-q5cf-73cv-r7f2",
"modified": "2026-07-15T12:32:02Z",
"published": "2026-07-15T12:32:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-8432-3cgm-vw5j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56339"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/capgo-unauthenticated-organization-existence-enumeration-via-rescind-invitation-rpc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q5FM-9W82-2M78
Vulnerability from github – Published: 2022-01-27 00:01 – Updated: 2022-02-02 00:01In Bromite through 78.0.3904.130, there are adblock rules in the release APK; therefore, probing which resources are blocked and which aren't can identify the application version and defeat the User-Agent protection mechanism.
{
"affected": [],
"aliases": [
"CVE-2019-25056"
],
"database_specific": {
"cwe_ids": [
"CWE-203"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-26T05:15:00Z",
"severity": "MODERATE"
},
"details": "In Bromite through 78.0.3904.130, there are adblock rules in the release APK; therefore, probing which resources are blocked and which aren\u0027t can identify the application version and defeat the User-Agent protection mechanism.",
"id": "GHSA-q5fm-9w82-2m78",
"modified": "2022-02-02T00:01:58Z",
"published": "2022-01-27T00:01:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25056"
},
{
"type": "WEB",
"url": "https://github.com/bromite/bromite/issues/2#issuecomment-524102774"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q5P6-RX6M-VX4M
Vulnerability from github – Published: 2024-03-04 18:30 – Updated: 2024-03-04 18:30IBM CICS TX Advanced 10.1 could disclose sensitive information to a remote attacker due to observable discrepancy in HTTP responses. IBM X-Force ID: 260814.
{
"affected": [],
"aliases": [
"CVE-2023-38362"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-204"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-04T16:15:49Z",
"severity": "MODERATE"
},
"details": "IBM CICS TX Advanced 10.1 could disclose sensitive information to a remote attacker due to observable discrepancy in HTTP responses. IBM X-Force ID: 260814.",
"id": "GHSA-q5p6-rx6m-vx4m",
"modified": "2024-03-04T18:30:35Z",
"published": "2024-03-04T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38362"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/260814"
},
{
"type": "WEB",
"url": "https://https://www.ibm.com/support/pages/node/7066430"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q65W-FG65-79F4
Vulnerability from github – Published: 2025-03-14 19:55 – Updated: 2025-03-19 15:28Description:
The feldman_vss library contains timing side-channel vulnerabilities in its matrix operations, specifically within the _find_secure_pivot function and potentially other parts of _secure_matrix_solve. These vulnerabilities are due to Python's execution model, which does not guarantee constant-time execution. An attacker with the ability to measure the execution time of these functions (e.g., through repeated calls with carefully crafted inputs) could potentially recover secret information used in the Verifiable Secret Sharing (VSS) scheme.
The _find_secure_pivot function, used during Gaussian elimination in _secure_matrix_solve, attempts to find a non-zero pivot element. However, the conditional statement if matrix[row][col] != 0 and row_random < min_value: has execution time that depends on the value of matrix[row][col]. This timing difference can be exploited by an attacker.
The constant_time_compare function in this file also does not provide a constant-time guarantee.
This advisory formalizes the timing side-channel vulnerabilities already documented in the library's "Known Security Vulnerabilities" section. The Python implementation of matrix operations in the _find_secure_pivot and _secure_matrix_solve functions cannot guarantee constant-time execution, potentially leaking information about secret polynomial coefficients.
An attacker with the ability to make precise timing measurements of these operations could potentially extract secret information through statistical analysis of execution times, though practical exploitation would require significant expertise and controlled execution environments.
Impact:
Successful exploitation of these timing side-channels could allow an attacker to recover secret keys or other sensitive information protected by the VSS scheme. This could lead to a complete compromise of the shared secret.
References:
- File:
feldman_vss.py - Function:
_find_secure_pivot - Function:
_secure_matrix_solve - Function:
constant_time_compare - Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems (1996) - A seminal paper on timing attacks.
- Side-Channel Attacks - Wikipedia article on side-channel attacks.
Remediation:
As acknowledged in the library's documentation, these vulnerabilities cannot be adequately addressed in pure Python. The advisory recommends:
-
SHORT TERM: Consider using this library only in environments where timing measurements by attackers are infeasible.
-
MEDIUM TERM: Implement your own wrappers around critical operations using constant-time libraries in languages like Rust, Go, or C.
-
LONG TERM: Wait for the planned Rust implementation mentioned in the library documentation that will properly address these issues.
Note that the usage of random.Random() identified in the _refresh_shares_additive function is intentional and secure as documented in the "False-Positive Vulnerabilities" section of the code, and should not be considered part of this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "PostQuantum-Feldman-VSS"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.8.0b2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-29780"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-208",
"CWE-385"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-14T19:55:10Z",
"nvd_published_at": "2025-03-14T18:15:32Z",
"severity": "MODERATE"
},
"details": "**Description:**\n\nThe `feldman_vss` library contains timing side-channel vulnerabilities in its matrix operations, specifically within the `_find_secure_pivot` function and potentially other parts of `_secure_matrix_solve`. These vulnerabilities are due to Python\u0027s execution model, which does not guarantee constant-time execution. An attacker with the ability to measure the execution time of these functions (e.g., through repeated calls with carefully crafted inputs) could potentially recover secret information used in the Verifiable Secret Sharing (VSS) scheme.\n\nThe `_find_secure_pivot` function, used during Gaussian elimination in `_secure_matrix_solve`, attempts to find a non-zero pivot element. However, the conditional statement `if matrix[row][col] != 0 and row_random \u003c min_value:` has execution time that depends on the value of `matrix[row][col]`. This timing difference can be exploited by an attacker.\n\nThe `constant_time_compare` function in this file also does not provide a constant-time guarantee.\n\nThis advisory formalizes the timing side-channel vulnerabilities already documented in the library\u0027s \"Known Security Vulnerabilities\" section. The Python implementation of matrix operations in the _find_secure_pivot and _secure_matrix_solve functions cannot guarantee constant-time execution, potentially leaking information about secret polynomial coefficients.\n\nAn attacker with the ability to make precise timing measurements of these operations could potentially extract secret information through statistical analysis of execution times, though practical exploitation would require significant expertise and controlled execution environments.\n\n**Impact:**\n\nSuccessful exploitation of these timing side-channels could allow an attacker to recover secret keys or other sensitive information protected by the VSS scheme. This could lead to a complete compromise of the shared secret.\n\n**References:**\n\n* File: `feldman_vss.py`\n* Function: `_find_secure_pivot`\n* Function: `_secure_matrix_solve`\n* Function: `constant_time_compare`\n* [Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems (1996)](https://www.rambus.com/wp-content/uploads/2015/08/TimingAttacks.pdf) - A seminal paper on timing attacks.\n* [Side-Channel Attacks](https://en.wikipedia.org/wiki/Side-channel_attack) - Wikipedia article on side-channel attacks.\n\n**Remediation:**\n\nAs acknowledged in the library\u0027s documentation, these vulnerabilities cannot be adequately addressed in pure Python. The advisory recommends:\n\n1. SHORT TERM: Consider using this library only in environments where timing measurements by attackers are infeasible.\n\n2. MEDIUM TERM: Implement your own wrappers around critical operations using constant-time libraries in languages like Rust, Go, or C.\n\n3. LONG TERM: Wait for the planned Rust implementation mentioned in the library documentation that will properly address these issues.\n\nNote that the usage of random.Random() identified in the _refresh_shares_additive function is intentional and secure as documented in the \"False-Positive Vulnerabilities\" section of the code, and should not be considered part of this vulnerability.",
"id": "GHSA-q65w-fg65-79f4",
"modified": "2025-03-19T15:28:08Z",
"published": "2025-03-14T19:55:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/DavidOsipov/PostQuantum-Feldman-VSS/security/advisories/GHSA-q65w-fg65-79f4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29780"
},
{
"type": "WEB",
"url": "https://en.wikipedia.org/wiki/Side-channel_attack"
},
{
"type": "PACKAGE",
"url": "https://github.com/DavidOsipov/PostQuantum-Feldman-VSS"
},
{
"type": "WEB",
"url": "https://www.rambus.com/wp-content/uploads/2015/08/TimingAttacks.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Post-Quantum Secure Feldman\u0027s Verifiable Secret Sharing has Timing Side-Channels in Matrix Operations"
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
CAPEC-189: Black Box Reverse Engineering
An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.